Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Team Budget Request v4 #192

Open
rareweasel opened this issue Jan 31, 2024 · 2 comments
Open

Security Team Budget Request v4 #192

rareweasel opened this issue Jan 31, 2024 · 2 comments
Labels
approved An approved budget request budget request A budget request

Comments

@rareweasel
Copy link

rareweasel commented Jan 31, 2024

Scope

This budget request is for the security team comprised currently of two core contributors and a part-time contributor to continue contributing with security related work in the yearn ecosystem.

The list of previous budget requests:

This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows and other described tasks. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.

This request also will detail an overview of the team's goals and objectives for the period.

Note that this budget request includes no revenue share.

Presentation link.

Plan

Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.

Security Reviews

The security team will continue to work on the following:

  • Internal security reviews for all contracts develop by yTeams and changes or updates in the current ones in production.
  • Internal security reviews for the Core Protocol, including v2/v3 vaults, v3, yCRV, yETH and any other Yearn's product as required.
  • Management of the Risk Framework and internal security review process for v2 and v3 strategies.
  • Review scores and allocations frequently in the Risk Framework to ensure risk information is properly presented to users.
  • Coordinate with infrastructure team on support for risk framework updates, bugs and issues for off chain data. (see on chain risk framework section for details)
  • Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.)
  • Review and triage bounty reports through our multiple pre-established channels, such as Immunefi, vyper disclosures or any other source.

Ad hoc

The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:

  • Lead retros for incidents
  • Incident support
  • Fuzz and invariant testing workshops, learning resources and support to help yearn devs
  • Create guidelines and minimal process for operational security of yearn high impact multisigs, communicate them and review adherence to established procedures.
  • Smart contract development
  • Product design
  • Protocol and Security related tooling development
  • Multisig coordination for emergency transactions
  • Security related events support e.g war room games, conferences talks, etc.

External Security Review Process Guidelines

  • Define and implement a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors.
  • Track output of external security engangements and report them to yTeams.
  • Check effectivenes of process and improve it with feedback on reports.

Goals

The security team plans to:

  • Fuzzing and invariant testing:

    • Establish and lead a campaign across yearn teams to incorporate fuzzing and invariant testing.
    • Create learning resources, example repos, coordinate/lead workshops.
    • Update security review internal process to require stricter testing rules for production deployment.
    • Update risk scoring process and documentation regarding testing scores.
    • Add fuzzing and invariant testing for real yearn products as example for learning resources.
      • veYFI fuzzing and invariant testing
      • Compound lender/borrower example fuzzing
  • Multisig operations security:

    • Establish and lead a working group composed of several yteams.
    • Collect feedback and areas of improvement.
    • Present public draft for minimun viable multisig operational procedure.
    • Publish procedures
    • Present a plan to review periodically past multisig operations against established procedures.
    • Manage the continuous improvement process of the procedures.
  • Risk Framework On-chain:

    • Integrate v3, yETH and other core contracts as needed.
    • Support up to date scores.
  • General Security

    • Help create and review Due Dilligence documents on new protocols used by yearn's strategies, when applicable. This item will consider external risk data providers to coordinate new v3 risk scoring process.
    • Each security review differs in time and scope but we are estimating it based on normal strategy reviews.
    • Create an internal checklist with the common issues in the v3 strategies to help the strategists to improve the development.
    • Start/continue reviewing new strategies for v3.
    • Continue reviewing updates/new strategies for v2.
    • Improve Github issues to make easier the security process.
    • Define a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors.
    • Track output of external security engagements and check effectiveness of process.
    • Follow up on the actions discussed in the war room, retros, and similar calls with the assigned contributors, reviewing ETA.
    • Become owner and lead of the Single Process security-wise for the v3 vaults working with the strategists and other contributors in order to get the best (and simple) process to increase our TVL, and revenue.
    • Be part of the Vyper security group.
  • General

    • Improve our communication giving updates about our tasks in internal groups periodically.
    • Implement an active improvement process, asking for feedback to different contributors and retest the results periodically.

Period

It will cover 3 months:

  • From: 2024-02-01
  • To: 2024-04-30

People

  • Rare Weasel
  • Tapir
  • Mil0x (part-time)

Money

This budget request includes the following concepts:

  • 2 core contributor grants.
  • 1 part-time contributor.

Funds to be streamed over three months, starting 1st February 2024.

Total:

85,990.00 DAI

Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.

Funds Details

Fund Details

Wallet address

0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E

Reporting

Monthly in this issue.

@rareweasel rareweasel added the budget request A budget request label Jan 31, 2024
@github-project-automation github-project-automation bot moved this to Needs Sorted in yBudget Jan 31, 2024
@rareweasel
Copy link
Author

rareweasel commented Mar 4, 2024

Security Team February Updates

@newmickymousse newmickymousse added the approved An approved budget request label Mar 19, 2024
@rareweasel
Copy link
Author

Security Team March Updates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved An approved budget request budget request A budget request
Projects
Status: Needs Sorted
Development

No branches or pull requests

2 participants